"The New York Times this morning published a story about the Spamhaus DDoS attack and how CloudFlare helped mitigate it and keep the site online. The Times calls the attack the largest known DDoS attack ever on the Internet. We wrote about the attack last week. At the time, it was a large attack, sending 85Gbps of traffic. Since then, the attack got much worse. Here are some of the technical details of what we've seen."

This attack wasn't intended to bring down the net; just Cloudflare (and it didn't even succeed at that either).

However what this attack does highlight is the seriousness of unprotected open DNS resolvers, which were the servers exploited to generate the ~300Gb/s DDoS traffic. The repercussions of which could be a threat as it means criminals no longer need large botnets to take smaller organisations offline. All they need now is a modest amount of bandwidth to flood poorly configured DNS servers with forged UDP packets that are then multiplied up at the name servers by a factor of 10.

While DDoS attacks will always be a threat, open resolvers make it easier than ever to disrupt services and this latest story is basically a massive advert to anyone considering a denial of service attack.

I just hope the seriousness of this is taken on board and action is taken to mitigate the effectiveness of this attack (there's a few different approaches to this, one of them being to patch the name servers themselves, but personally I'd rather see ISPs, peers and exchanges to add some reverse engineering to their UDP forwarding - in that they only forward UDP packets if the IP address attached can be routed backwards - thus effectively checking if the sender matches what the UDP packet describes).

Apologies about the crude explanation. I'm not a networking expert (though there is overlap between that an my field in IT) so that last part I'm having to trust online sources as being accurate.